ICO issues implementation guidance on cookie regulations

The Information Commissioner has now published the promised guidance on the new “Cookies Regulations”, which implement a European e-Privacy Directive. This note summarises that guidance and considers how businesses might comply with the new requirements. Associate Solicitor Caroline Redhead explains.

Following last month's update on the changes in requirements relating to cookies, the Information Commissioner has now published the promised guidance on the new “Cookies Regulations”, which implement a European e-Privacy Directive. This note summarises that guidance and considers how businesses might comply with the new requirements.

Implementation

The Commissioner recognises that, in many cases, implementation of the rule requiring consent for cookies will be challenging for organisations. He has issued separate advice on how these requirements might be met in practice and acknowledges that requiring a rushed or hasty implementation could result in a significant restriction of the operation of internet services that users generally take for granted and would be likely to cause disproportionate inconvenience both to website providers and to users.

Accordingly, the Commissioner will allow a lead in period of 12 months for organisations to develop ways of meeting the requirements of the new Regulations before he will move towards the approach set out in his Data Protection Regulatory Action Policy and consider using his enforcement powers to compel them to do so in appropriate cases. This lead in period will end in May 2012.

In allowing this lead in period the Commissioner has borne in mind the Government’s publicised view that:

• work on technical solutions will not have been completed before the implementation deadline;
• it will take time for these solutions to be developed, evaluated and rolled out; and
• during this time the Government does not expect that ICO will take enforcement action against organisations that are working to address their use of cookies or are engaged in development work on browsers and/or other solutions.

Businesses should now be taking steps to ensure they can properly comply with the revised rules for cookies by May 2012. If it appears to the Commissioner that particular organisations are not making adequate preparations to be compliant by May 2012 he may issue them with a warning as to the future use of his enforcement powers. In the event of complaints being received after May 2012 any such warnings will be taken into account by the Commissioner in deciding if and when to issue an organisation with an enforcement notice.

From May 2012 onwards the Commissioner will follow the approach to enforcement set out in his Data Protection Regulatory Action Policy. This means that in deciding whether to take enforcement action in relation to a breach of the revised cookies rules he will be concerned with the impact of the breach on the privacy and other rights of website users and not just with whether there has been a technical breach of the Regulations.

In the meantime it is nevertheless likely that the Commissioner will receive complaints about cookies. Initially, where those complaints indicate non compliance with the Regulations, he will provide advice to the organisation concerned on the requirements of the law and it might comply. Where he considers it appropriate, and particularly as May 2012 approaches, he has indicated that he will also ask organisations to explain to him the steps they are taking to ensure that they will, in fact, be in a position to comply by May 2012.

How can businesses comply?

The Regulations expressly require a website operator to provide users with clear and comprehensive information about the purpose of the storage of, or access to, cookies he places on the user's equipment. Whilst the Regulations do not specify when and how the requisite information should be provided, the Information Commissioner's initial guidance states that, if the information is to be included in a privacy policy, that policy should be clearly signposted at least on those pages where a user may enter a website. The guidance also states that sites which permit third parties to use cookies will have to inform users that this is the case but does not provide any useful suggestion as to what might suffice. For businesses which are considering how to obtain consent in this case, the Framework for Online Behavioural Advertising is a useful reference point.

The approach the ICO has taken on its own website is to provide information about the name and purpose of each cookie it uses as well as links to further information available from external sources in a table format. This ties in with the ICO’s general advice to providers that, before deciding on the method for obtaining consent, they should check what type of cookies and similar technologies they are using, consider how they use them and assess how intrusive their use of cookies is.

The significant change introduced by the Regulations is that website operators must now obtain the users’ consent to the use of cookies. It currently still unclear what might be the best way to obtain that consent. The methods currently being discussed include pop-ups and similar techniques, website privacy settings and browser-based settings and website operators are advised to pay most attention to the most “privacy intrusive” cookies.

Whilst the Regulations anticipate that, as a general rule “consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or program to signify consent”, the ICO and the Department for Culture, Media and Sport agree that at present most browser settings are not sophisticated enough to allow online providers to assume that the user has given their consent to allow a website to set a cookie. Whilst the government is currently working with the major browser manufacturers to address this issue it may be that solutions at this level will not be available and not all visitors to a website would use them (maybe if accessing the website on a mobile phone).

Clearly what might be appropriate in terms of consent varies in the context of what the website is expected to do and various possibilities exist.

A user’s consent to the setting of cookies might be implied as part of the wording of the privacy policy. It is currently unclear whether or not this approach is sufficient in all cases to comply with the new requirements and website operators should exercise caution in this respect. This option is more likely to achieve compliance in cases where a user must agree to the terms of the privacy policy as part of the sign-on process that allows them access to the substantive part of the website (for example, members-only social media websites or websites where substantive content is placed behind a pay wall). If website operators use this approach, they should ideally ensure that all non-essential cookies are only set, once the user has accepted the terms of the privacy policy. Although the government guidance suggests that it may be possible to obtain consent while the cookies is, or after it has been, placed, this should be the exception rather than the rule as this approach appears to be in direct contravention to the opinion of a European Working Party in this area.

Another approach, of wider application, reflects the approach taken by the ICO in relation to its own website and is probably suitable for all websites. Website operators will be required to alert users to the fact that the website uses cookies by displaying a notice as a header or footer on each web page. The notice should include a link to the website’s privacy policy and should allow the user to accept cookies by ticking a box. If the user fails to tick the box, the website operator should refrain from setting any cookies other than those, like session cookies, that are essential for operating the site. Essential cookies are excepted from the consent requirement under Regulations (although there will be differences of opinion, going forward, as to what constitutes “essential” for these purposes). As a matter of good practice, the user should be informed, however, that restrictions on his use of the website apply and/or the website functionality will be affected if he decides to reject cookies.

If a user accepts cookies from the site, it might makes sense for the website operator to store that preference (for example, by setting a “cookie acceptance” cookie on the user’s browser or hard drive – provided of course consent has been granted!), to avoid the need to obtain consent again when the user next visits the site.

The Regulations allow website operators to make the user's access to certain web pages dependent on his or her acceptance of cookies; where a user makes a choice to access certain information or a particular tool or function, consent might be incorporated into that functionality. The use of pop-ups might be suitable as a means of informing users (and seeking consent) when a cookie is set (although in many situations this might be irritating to users of the website).

Comment

As with many aspects of the law concerning data protection and privacy, there are shades of grey here for businesses and website operators to consider; the Information Commissioner has gone so far as to say that they are “best placed to work out” how to get information to their users, what those users will understand and how they would like to demonstrate consent. Websites aimed at certain areas of the online community, such as children, will need to think carefully about how consent of younger children is obtained (and the ICO has suggested that explicit, parental consent is required where a child is under 12 years of age).

For further information or advice on information law, contact Caroline Redhead on 01228 552222.